Syslog Notification Fails to Send

book

Article ID: 160643

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

Syslog notification is setup, however at times there are no messages sent.

Code 1807 observed in alerts on Enforce server indicating a Syslog response rule failed.

Cause

The issue is a know defect in DLP versions prior to 14.6.

The syslog response rule response length was hard coded to 1024 bytes of data and limited the response packets to 1460 bytes.

This has been increased to 64k in version 14.6, the maximum packet size for syslog messages.

Resolution

If the IncidentPersister*.log the following error is referenced

Aug 4, 2010 12:34:59 PM (SEVERE) Thread: 16 [com.vontu.command.CommandRuntime.executeCommands] Error executing command: syslog
com.vontu.command.CommandException: Unable to write to syslog: host=10.112.60.12, port=514
                at com.vontu.incidenthandler.command.enforce.SyslogLogger.execute(SyslogLogger.java:128)
                at com.vontu.command.CommandRuntime.executeCommands(CommandRuntime.java:763)
                at com.vontu.command.CommandRuntime.access$900(CommandRuntime.java:64)
                at com.vontu.command.CommandRuntime$CommandExecutor.run(CommandRuntime.java:1281)
                at edu.oswego.cs.dl.util.concurrent.PooledExecutor$Worker.run(PooledExecutor.java:728)
                at java.lang.Thread.run(Unknown Source)
Caused by: com.vontu.util.syslog.SyslogException: Syslog message to large: size: 2670 MAX_MESSAGE_SIZE: 1460
                at com.vontu.util.syslog.SyslogMessage.makeBytes(SyslogMessage.java:142)
                at com.vontu.util.syslog.SyslogMessage.<init>(SyslogMessage.java:25)
[...]

Note: In versions prior to V10 this may be within the manager log.


Based on RFC 3195 & 3164 it is specified that BSD & RAW messages can't be longer than 1024 characters. Otherwise, the syslog servers & relays ignore the end of the message. It is to note that these RFCs are not fixed standards, but widely implemented.

In this case, we fail when the message exceeds by far the guideline limit of 1024 and as a result you will see the error. Please keep in mind that syslog servers are designed to store system events and small notifications as a (short) text, they are not designed for large contextual data or as a remediation system. The current remediation systems take these short texts and context information to trigger workflow and store additional data within additional databases.

The underlying reason may be the usage of custom attributes that can as a result create messages far larger than 1024 characters, since the standard email notification is not bound to any limit.

As a best practice you would want to create Syslog notifications without custom attributes or fixed content, such as incident ID or violator as reference. If the remediator or whoever consumes the syslog entry requires more in-depth details they can log into the Vontu UI. Alternatively, the incident ID from the syslog notification can be used to access the incident directly through the use of the Reporting API to access and store the incident data into a secondary remediation system.

Another approach is to trigger via email notification a workflow. Some customers then extract the contextual information including all custom attributes for the email and store it within a secondary remediation system.

This is a limitation of the Syslog libraries used. The current limit in the product is set to a maximum length of 1460 characters.